@intentius/chant-lexicon-helm 0.0.16

package/src/lint/post-synth/whm105.ts

@@ -0,0 +1,30 @@
+/**
+ * WHM105: _helpers.tpl exists.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm105: PostSynthCheck = {
+  id: "WHM105",
+  description: "_helpers.tpl must exist in templates/",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      if (!files["templates/_helpers.tpl"]) {
+        diagnostics.push({
+          checkId: "WHM105",
+          severity: "warning",
+          message: "templates/_helpers.tpl is missing",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm201.ts

@@ -0,0 +1,36 @@
+/**
+ * WHM201: Resources should have standard Helm labels.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm201: PostSynthCheck = {
+  id: "WHM201",
+  description: "K8s resources should include standard Helm labels",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+
+        // Check if the template references the standard labels helper
+        if (content.includes("kind:") && !content.includes(".labels") && !content.includes("helm.sh/chart")) {
+          diagnostics.push({
+            checkId: "WHM201",
+            severity: "info",
+            message: `${filename} does not include standard Helm labels — consider using include "<chart>.labels"`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm202.ts

@@ -0,0 +1,50 @@
+/**
+ * WHM202: Hook weights should be defined for multi-hook charts.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm202: PostSynthCheck = {
+  id: "WHM202",
+  description: "Hook weights should be defined when multiple hooks exist",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      const hooksWithWeight: string[] = [];
+      const hooksWithoutWeight: string[] = [];
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/")) continue;
+
+        if (content.includes("helm.sh/hook:") && !content.includes("helm.sh/hook: test")) {
+          if (content.includes("helm.sh/hook-weight:")) {
+            hooksWithWeight.push(filename);
+          } else {
+            hooksWithoutWeight.push(filename);
+          }
+        }
+      }
+
+      // Only warn if there are multiple hooks and some lack weights
+      const totalHooks = hooksWithWeight.length + hooksWithoutWeight.length;
+      if (totalHooks > 1 && hooksWithoutWeight.length > 0) {
+        for (const filename of hooksWithoutWeight) {
+          diagnostics.push({
+            checkId: "WHM202",
+            severity: "warning",
+            message: `${filename} has a hook but no hook-weight — define weights to control execution order in multi-hook charts`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm203.ts

@@ -0,0 +1,39 @@
+/**
+ * WHM203: Values entries should be documented.
+ *
+ * Checks that values.yaml has YAML comments or that values.schema.json
+ * provides descriptions. Since Chant generates values.yaml from code,
+ * this check looks for values.schema.json as the documentation source.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm203: PostSynthCheck = {
+  id: "WHM203",
+  description: "Values entries should be documented via schema or comments",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+      const valuesYaml = files["values.yaml"];
+      const schemaJson = files["values.schema.json"];
+
+      if (!valuesYaml || valuesYaml.trim() === "{}") continue;
+
+      // If no schema, values are undocumented
+      if (!schemaJson) {
+        diagnostics.push({
+          checkId: "WHM203",
+          severity: "info",
+          message: "Values are not documented — add a Values type to generate values.schema.json",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm204.ts

@@ -0,0 +1,60 @@
+/**
+ * WHM204: Dependencies should use semver ranges.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+const SEMVER_RANGE_PATTERN = /^[~^>=<*]|\.x/;
+
+export const whm204: PostSynthCheck = {
+  id: "WHM204",
+  description: "Chart dependencies should use semver ranges, not pinned versions",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+      const chartYaml = files["Chart.yaml"];
+      if (!chartYaml) continue;
+
+      // Simple extraction of dependency versions from Chart.yaml
+      const lines = chartYaml.split("\n");
+      let inDependencies = false;
+      let currentDep = "";
+
+      for (const line of lines) {
+        if (line.startsWith("dependencies:")) {
+          inDependencies = true;
+          continue;
+        }
+        if (inDependencies) {
+          if (/^\S/.test(line) && !line.startsWith(" ")) {
+            inDependencies = false;
+            continue;
+          }
+
+          const nameMatch = line.match(/name:\s*(.+)/);
+          if (nameMatch) currentDep = nameMatch[1].trim();
+
+          const versionMatch = line.match(/version:\s*'?([^']+)'?/);
+          if (versionMatch && currentDep) {
+            const version = versionMatch[1].trim();
+            if (!SEMVER_RANGE_PATTERN.test(version)) {
+              diagnostics.push({
+                checkId: "WHM204",
+                severity: "info",
+                message: `Dependency "${currentDep}" uses pinned version "${version}" — consider a semver range (e.g. "~${version}" or "^${version}")`,
+                entity: currentDep,
+                lexicon: "helm",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm301.ts

@@ -0,0 +1,41 @@
+/**
+ * WHM301: At least one test should be defined for application charts.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles, parseChartYaml } from "./helm-helpers";
+
+export const whm301: PostSynthCheck = {
+  id: "WHM301",
+  description: "Application charts should include at least one Helm test",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+      const chartYaml = files["Chart.yaml"];
+      if (!chartYaml) continue;
+
+      const parsed = parseChartYaml(chartYaml);
+      if (parsed.type === "library") continue;
+
+      // Check if any template has helm.sh/hook: test
+      const hasTest = Object.entries(files).some(
+        ([filename, content]) =>
+          filename.startsWith("templates/") && content.includes("helm.sh/hook: test"),
+      );
+
+      if (!hasTest) {
+        diagnostics.push({
+          checkId: "WHM301",
+          severity: "info",
+          message: "No Helm test defined — consider adding a HelmTest for chart validation",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm302.ts

@@ -0,0 +1,40 @@
+/**
+ * WHM302: Resource limits should be set (via values or defaults).
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm302: PostSynthCheck = {
+  id: "WHM302",
+  description: "Container resources (limits/requests) should be set via values or defaults",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        // Check for workload types with containers
+        const hasContainers = content.includes("containers:");
+        const hasResources = content.includes("resources:") || content.includes(".Values.resources");
+
+        if (hasContainers && !hasResources) {
+          diagnostics.push({
+            checkId: "WHM302",
+            severity: "info",
+            message: `${filename} has containers but no resource limits — consider using toYaml(values.resources) or setting defaults`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm401.ts

@@ -0,0 +1,57 @@
+/**
+ * WHM401: Image uses `:latest` tag or no tag.
+ *
+ * Scans template `image:` lines for literal values (not `.Values` refs)
+ * ending in `:latest` or missing `:`.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm401: PostSynthCheck = {
+  id: "WHM401",
+  description: "Container images should not use :latest tag or omit tag entirely",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        for (const line of content.split("\n")) {
+          const trimmed = line.trim();
+          if (!trimmed.startsWith("image:")) continue;
+          const value = trimmed.slice("image:".length).trim();
+
+          // Skip template references
+          if (value.includes(".Values") || value.includes("{{")) continue;
+
+          // Check for :latest or no tag
+          if (value.endsWith(":latest") || value.endsWith(":latest'") || value.endsWith(':latest"')) {
+            diagnostics.push({
+              checkId: "WHM401",
+              severity: "warning",
+              message: `${filename}: image uses :latest tag — pin to a specific version for reproducible deployments`,
+              entity: filename,
+              lexicon: "helm",
+            });
+          } else if (value && !value.includes(":") && !value.includes("{{")) {
+            diagnostics.push({
+              checkId: "WHM401",
+              severity: "warning",
+              message: `${filename}: image has no tag — defaults to :latest, pin to a specific version`,
+              entity: filename,
+              lexicon: "helm",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm402.ts

@@ -0,0 +1,45 @@
+/**
+ * WHM402: No `runAsNonRoot` security context.
+ *
+ * For files with `containers:`, checks for `runAsNonRoot: true` or
+ * a `.Values.securityContext` reference.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm402: PostSynthCheck = {
+  id: "WHM402",
+  description: "Containers should set runAsNonRoot in security context",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        const hasContainers = content.includes("containers:");
+        if (!hasContainers) continue;
+
+        const hasRunAsNonRoot = content.includes("runAsNonRoot: true") || content.includes("runAsNonRoot: true");
+        const hasSecurityContextRef = content.includes(".Values.securityContext") || content.includes(".Values.podSecurityContext");
+
+        if (!hasRunAsNonRoot && !hasSecurityContextRef) {
+          diagnostics.push({
+            checkId: "WHM402",
+            severity: "warning",
+            message: `${filename}: containers lack runAsNonRoot — set securityContext.runAsNonRoot: true or use .Values.securityContext`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm403.ts

@@ -0,0 +1,45 @@
+/**
+ * WHM403: No `readOnlyRootFilesystem` security context.
+ *
+ * For files with `containers:`, checks for `readOnlyRootFilesystem: true`
+ * or a `.Values.securityContext` reference.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm403: PostSynthCheck = {
+  id: "WHM403",
+  description: "Containers should set readOnlyRootFilesystem in security context",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        const hasContainers = content.includes("containers:");
+        if (!hasContainers) continue;
+
+        const hasReadOnly = content.includes("readOnlyRootFilesystem: true");
+        const hasSecurityContextRef = content.includes(".Values.securityContext") || content.includes(".Values.podSecurityContext");
+
+        if (!hasReadOnly && !hasSecurityContextRef) {
+          diagnostics.push({
+            checkId: "WHM403",
+            severity: "info",
+            message: `${filename}: containers lack readOnlyRootFilesystem — consider setting securityContext.readOnlyRootFilesystem: true`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm404.ts

@@ -0,0 +1,36 @@
+/**
+ * WHM404: `privileged: true` found — security risk.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm404: PostSynthCheck = {
+  id: "WHM404",
+  description: "Containers must not run in privileged mode",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        if (content.includes("privileged: true")) {
+          diagnostics.push({
+            checkId: "WHM404",
+            severity: "error",
+            message: `${filename}: privileged: true detected — containers should not run in privileged mode`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm405.ts

@@ -0,0 +1,53 @@
+/**
+ * WHM405: Resource spec missing `cpu`/`memory` in `limits`/`requests`.
+ *
+ * When `resources:` is present (not via `.Values`), validates that
+ * sub-keys `limits` and `requests` with `cpu`/`memory` exist.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm405: PostSynthCheck = {
+  id: "WHM405",
+  description: "Resource specs should include cpu and memory in limits/requests",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        // Skip if resources are via values
+        if (!content.includes("resources:") || content.includes(".Values.resources")) continue;
+
+        const hasLimits = content.includes("limits:");
+        const hasRequests = content.includes("requests:");
+
+        if (!hasLimits && !hasRequests) continue;
+
+        const hasCpu = content.includes("cpu:");
+        const hasMemory = content.includes("memory:");
+
+        if (!hasCpu || !hasMemory) {
+          const missing = [];
+          if (!hasCpu) missing.push("cpu");
+          if (!hasMemory) missing.push("memory");
+          diagnostics.push({
+            checkId: "WHM405",
+            severity: "warning",
+            message: `${filename}: resource spec missing ${missing.join(" and ")} — set both cpu and memory in limits/requests`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm406.ts

@@ -0,0 +1,34 @@
+/**
+ * WHM406: Chart uses `crds/` directory — warn that Helm never upgrades/deletes CRDs.
+ *
+ * Suggests using `HelmCRDLifecycle` composite for managed CRD lifecycle.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm406: PostSynthCheck = {
+  id: "WHM406",
+  description: "CRDs in crds/ directory are never upgraded or deleted by Helm",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      const hasCrdDir = Object.keys(files).some((f) => f.startsWith("crds/"));
+      if (hasCrdDir) {
+        diagnostics.push({
+          checkId: "WHM406",
+          severity: "info",
+          message: "Chart uses crds/ directory — Helm installs CRDs but never upgrades or deletes them. Consider using HelmCRDLifecycle composite for managed CRD lifecycle.",
+          entity: "crds/",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/whm407.ts

@@ -0,0 +1,83 @@
+/**
+ * WHM407: `kind: Secret` with inline `data:` values and no ExternalSecret/SealedSecret.
+ *
+ * Warns when secrets contain inline data values (not `.Values` refs) and the chart
+ * does not use ExternalSecret or SealedSecret resources.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm407: PostSynthCheck = {
+  id: "WHM407",
+  description: "Secrets with inline data should use ExternalSecret or SealedSecret",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+
+      // Check if chart uses ExternalSecret or SealedSecret anywhere
+      const allContent = Object.values(files).join("\n");
+      const hasExternalSecret = allContent.includes("ExternalSecret") || allContent.includes("SealedSecret");
+
+      for (const [filename, content] of Object.entries(files)) {
+        if (!filename.startsWith("templates/") || filename.endsWith("_helpers.tpl") || filename.endsWith("NOTES.txt")) continue;
+        if (filename.includes("tests/")) continue;
+
+        if (!content.includes("kind: Secret")) continue;
+
+        // Scan for inline data values in data: or stringData: sections
+        const lines = content.split("\n");
+        let inData = false;
+        let dataIndent = -1;
+        let hasLiteralValues = false;
+
+        for (const line of lines) {
+          const trimmed = line.trim();
+          if (!trimmed || trimmed.startsWith("#")) continue;
+
+          const indent = line.length - line.trimStart().length;
+
+          if (trimmed === "data:" || trimmed === "stringData:") {
+            inData = true;
+            dataIndent = indent;
+            continue;
+          }
+
+          if (inData) {
+            // If we've returned to the same or lower indent level, exit data section
+            if (indent <= dataIndent && trimmed) {
+              inData = false;
+              dataIndent = -1;
+              continue;
+            }
+            // Check if value is a literal (not a template expression)
+            if (!trimmed.includes("{{") && !trimmed.includes(".Values")) {
+              const colonIdx = trimmed.indexOf(":");
+              if (colonIdx > 0 && trimmed.length > colonIdx + 1 && trimmed[colonIdx + 1] === " ") {
+                const val = trimmed.slice(colonIdx + 1).trim();
+                if (val) {
+                  hasLiteralValues = true;
+                }
+              }
+            }
+          }
+        }
+
+        if (hasLiteralValues && !hasExternalSecret) {
+          diagnostics.push({
+            checkId: "WHM407",
+            severity: "warning",
+            message: `${filename}: Secret with inline data values — consider using ExternalSecret or SealedSecret for secret management`,
+            entity: filename,
+            lexicon: "helm",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};